The Distraction of “Who Did It”

The new year is only moments old and we’re already off to a breakneck start of ignoring the greater issue (critical infrastructure cyber security) in lieu of the one that’s more fun (attribution of attackers). Earlier this year, the discovery of Grizzly Steppe malware on a Vermont utility laptop not connected to the power grid created a red-letter day for the press including some of the following nuggets:

“This is beyond hackers having electronic joy rides — this is now about trying to access utilities to potentially manipulate the grid and shut it down in the middle of winter,” Senator Patrick Leahy (D-VT) said in a statement on Friday.

Vermont governor Peter Shumlin (D): “Vermonters and all Americans should be both alarmed and outraged that one of the world’s leading thugs, Vladimir Putin, has been attempting to hack our electric grid, which we rely upon to support our quality-of-life, economy, health, and safety.”

Unfortunately, these statements were made when policymakers believed the electrical grid had been compromised by Russian state-sponsored adversaries – in other words, based upon inaccurate scare headlines. A newspaper or network can make a correction or retraction, but the nuance is often lost in the noise. The rhetoric from policymakers proved to be not only potentially incorrect, but also misplaced.

Instead of participating in America’s favorite pastime, ‘The Blame Game,’ we need to focus upon ensuring that critical infrastructure that has internet-facing components is secure and monitored. Let’s say for the sake of argument that the malware discovered on the Vermont laptop was Grizzly Steppe. This malware is attributed to Russian state-sponsored adversaries, but malicious code is often sold and traded on the dark web. Several actions are more important than who did it, such as:

The laptop attacked wasn’t attached to the power grid at the time – but does that really matter? It’s a laptop owned by the utility, it’s capable of movement, so the infection could spread to other systems.

Mobile code can traverse to the power grid side of an airgap, as German nuclear power providers discovered last year.

Operators will err on the side of convenience prior to understanding the risks of connecting internet-enabled devices, as the Rye, NY municipal services flood control team found out.

Manufacturers of equipment utilized in critical infrastructure are consistently doing a sub-optimal job of delivering equipment that’s ready for internet scrutiny. In the case of Mirai, thousands of CCTV cameras and corresponding DVRs were utilized in massive distributed denial of service attacks.

Rather than focusing on attribution, which is extremely tricky and doesn’t address the root problems, critical infrastructure practitioners need to be focusing their efforts on their internet-enabled systems and looking at the following:

First and foremost, does the internet-facing piece of equipment need to be internet-enabled? Is it critical to monitoring, operations, lowering maintenance costs, providing data, or other mission-supporting activities? If not, shut the internet interface off.

If internet is required, what interface is available publicly? If telnet, why not use SSH? If SSH, why not limit connections to the known few? If limiting connections, why not enforce multi-factor authentication? If enforcing MFA, log and monitor.

Any number of freeware tools can find the kinds of low-hanging flaws used to create the Mirai botnet. Your adversary is not omnipotent, they just use the lowest hanging fruit to attack your infrastructure. Scan for low hanging fruit routinely/automatically and act upon the results.

The lesson of minor incidents such as what occurred in Vermont shouldn’t be to yell about who might have done it. It’s to use the raised visibility to improve security practices, so that adversaries will have a harder time creating major incidents.